e016790fe1
- Security fixes and hardenings for boothole 3 / boothole 2022 (bsc#1198581) * 0001-video-Remove-trailing-whitespaces.patch * 0002-loader-efi-chainloader-Simplify-the-loader-state.patch * 0003-commands-boot-Add-API-to-pass-context-to-loader.patch - Fix CVE-2022-28736 (bsc#1198496) * 0004-loader-efi-chainloader-Use-grub_loader_set_ex.patch - Fix CVE-2022-28735 (bsc#1198495) * 0005-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch * 0006-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch * 0007-video-readers-png-Abort-sooner-if-a-read-operation-f.patch * 0008-video-readers-png-Refuse-to-handle-multiple-image-he.patch - Fix CVE-2021-3695 (bsc#1191184) * 0009-video-readers-png-Drop-greyscale-support-to-fix-heap.patch - Fix CVE-2021-3696 (bsc#1191185) * 0010-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch * 0011-video-readers-png-Sanity-check-some-huffman-codes.patch * 0012-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch * 0013-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch * 0014-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch - Fix CVE-2021-3697 (bsc#1191186) * 0015-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch * 0016-normal-charset-Fix-array-out-of-bounds-formatting-un.patch - Fix CVE-2022-28733 (bsc#1198460) * 0017-net-ip-Do-IP-fragment-maths-safely.patch * 0018-net-netbuff-Block-overly-large-netbuff-allocs.patch * 0019-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch * 0020-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch * 0021-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch * 0022-net-tftp-Avoid-a-trivial-UAF.patch * 0023-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch OBS-URL: https://build.opensuse.org/request/show/981228 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=416
60 lines
1.8 KiB
Diff
60 lines
1.8 KiB
Diff
From cc43d9a3d77069850f993fbc4ae47c941bf284b9 Mon Sep 17 00:00:00 2001
|
|
From: Daniel Axtens <dja@axtens.net>
|
|
Date: Thu, 16 Sep 2021 01:29:54 +1000
|
|
Subject: [PATCH 19/32] net/dns: Fix double-free addresses on corrupt DNS
|
|
response
|
|
|
|
grub_net_dns_lookup() takes as inputs a pointer to an array of addresses
|
|
("addresses") for the given name, and pointer to a number of addresses
|
|
("naddresses"). grub_net_dns_lookup() is responsible for allocating
|
|
"addresses", and the caller is responsible for freeing it if
|
|
"naddresses" > 0.
|
|
|
|
The DNS recv_hook will sometimes set and free the addresses array,
|
|
for example if the packet is too short:
|
|
|
|
if (ptr + 10 >= nb->tail)
|
|
{
|
|
if (!*data->naddresses)
|
|
grub_free (*data->addresses);
|
|
grub_netbuff_free (nb);
|
|
return GRUB_ERR_NONE;
|
|
}
|
|
|
|
Later on the nslookup command code unconditionally frees the "addresses"
|
|
array. Normally this is fine: the array is either populated with valid
|
|
data or is NULL. But in these sorts of error cases it is neither NULL
|
|
nor valid and we get a double-free.
|
|
|
|
Only free "addresses" if "naddresses" > 0.
|
|
|
|
It looks like the other use of grub_net_dns_lookup() is not affected.
|
|
|
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/net/dns.c | 6 ++++--
|
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
|
|
index 906ec7d678..135faac035 100644
|
|
--- a/grub-core/net/dns.c
|
|
+++ b/grub-core/net/dns.c
|
|
@@ -667,9 +667,11 @@ grub_cmd_nslookup (struct grub_command *cmd __attribute__ ((unused)),
|
|
grub_net_addr_to_str (&addresses[i], buf);
|
|
grub_printf ("%s\n", buf);
|
|
}
|
|
- grub_free (addresses);
|
|
if (naddresses)
|
|
- return GRUB_ERR_NONE;
|
|
+ {
|
|
+ grub_free (addresses);
|
|
+ return GRUB_ERR_NONE;
|
|
+ }
|
|
return grub_error (GRUB_ERR_NET_NO_DOMAIN, N_("no DNS record found"));
|
|
}
|
|
|
|
--
|
|
2.34.1
|
|
|